A growing wave of SaaS security threats is shaking up the cybersecurity landscape. This week’s incidents include a massive breach of Salesforce environments via compromised OAuth tokens in Drift, a critical Sitecore vulnerability added to CISA’s KEV catalog, and a confirmed supply-chain breach at Qualys—all underscoring how interconnected software-as-a-service platforms and CMS systems have become primary attack vectors.
CISA Adds Sitecore CVE‑2025‑53690 to KEV Catalog
CISA has mandated that all federal agencies patch CVE‑2025‑53690 by September 25, 2025. This critical vulnerability affects Sitecore XP, XM, and Experience Commerce (prior to v9.0) and arises from insecure deserialization combined with a hardcoded ASP.NET machine key—an insecure default setting that was publicly disclosed by researchers earlier this year. The flaw allows unauthenticated attackers to remotely execute arbitrary code on affected systems, posing a direct threat to both public and private sector organizations running unpatched instances of Sitecore.
Threat actors are already exploiting this vulnerability in the wild, likely using automated tools to scan for exposed instances. Once compromised, attackers could deploy web shells, alter website content, or pivot into internal systems—turning what appears to be a CMS misconfiguration into a full-scale breach vector. Sitecore has issued vendor patches, and CISA’s inclusion of CVE‑2025‑53690 in its Known Exploited Vulnerabilities (KEV) catalog signals the urgency of immediate action.
Organizations must not only apply patches, but also rotate any cryptographic machine keys, verify that no unauthorized changes have occurred, and review server logs for indicators of compromise. This is especially critical for agencies in regulated industries where a compromise could result in data loss, reputational harm, or compliance penalties.
Why it matters: Deserialization bugs in CMS platforms are high-impact, allowing total system takeover if left unpatched—and this one is already being weaponized.
SaaS Security Breach Targets Salesforce via Drift OAuth Integration
This week’s breach report centers on compromised OAuth tokens used in Drift’s integration with Salesforce and Salesloft. The attacker group, identified as UNC6395, launched a coordinated campaign to harvest refresh tokens and authentication credentials at scale. These stolen tokens granted access to Salesforce environments without triggering multi-factor authentication or login alerts. As a result, attackers gained a silent foothold into enterprise systems.
The breach occurred between August 8–18, 2025, but investigations have revealed the root cause to be a Salesloft GitHub compromise from as early as March. Malicious code or secrets exfiltrated during that window were later weaponized in the Drift-Salesforce connector to facilitate access to sensitive customer data.
Impacted organizations span across critical sectors and include:
- Google (Workplace integrations)
- Zscaler
- Palo Alto Networks
- Cloudflare
- Tenable
- Qualys
- CyberArk
Once inside, attackers conducted SOQL queries to pull internal records, including lead and support case data, and in some instances, exposed secrets like AWS credentials and Snowflake keys. This breach not only exploited trust in OAuth-based integrations but also highlighted a serious gap in SaaS token lifecycle monitoring.
The incident is now considered one of the most impactful SaaS security breaches of 2025 and has prompted widespread reviews of third-party app governance.
Why it matters: OAuth tokens grant direct access, bypassing login alerts and MFA—making them a stealthy and dangerous attack vector in SaaS environments.
Qualys Confirms Salesforce Breach via Drift OAuth Connector
Qualys is one of the confirmed victims of the OAuth token hijack campaign. Attackers gained unauthorized access to its Salesforce instance through a compromised Drift integration. The breach did not impact Qualys’ cloud infrastructure, vulnerability scanners, or endpoint protection agents. However, it did result in the exposure of sensitive CRM data. This included customer contact details, internal support communications, and active engagement records used by sales and service teams.
Upon detecting suspicious access patterns, Qualys immediately disabled the Drift connector and engaged Mandiant to lead a full forensic investigation. Early findings suggest the attacker used compromised OAuth tokens to execute queries against Salesforce data objects without raising typical authentication red flags. Although no malicious activity was found in operational systems, the breach raised alarms about data leakage through overlooked third-party tools.
In response, Qualys has launched a company-wide review of SaaS application permissions. The company is also implementing stricter access controls across its CRM ecosystem. This incident highlights that even highly secure vendors can be exposed. Integrated SaaS apps without proper monitoring or those using outdated token policies pose significant risks.
Other affected vendors are now taking similar steps, emphasizing the urgent need for SaaS supply-chain visibility, token hygiene, and application vetting.
Why it matters: One compromised SaaS connector can expose hundreds of downstream clients—making app vetting and monitoring a top priority.
How to Respond to a SaaS Security Breach
To mitigate the impact of current threats and prepare for future incidents, organizations should take the following immediate actions:
- Immediately revoke all OAuth tokens tied to third-party apps like Drift and Salesloft.
- Audit CRM and Salesforce logs for unauthorized queries or data exports.
- Patch CVE‑2025‑53690 and rotate cryptographic keys for Sitecore instances.
- Reevaluate SaaS onboarding workflows to include token lifecycle management.
- Engage incident response partners to assess exposure and coordinate remediation.
Want help securing your SaaS stack or auditing integration risk?
Explore our Managed SaaS Security Services or schedule a risk assessment today.
Request a Consultation